Move from API user/key to API tokens

Created on 14 July 2022, over 2 years ago
Updated 27 February 2023, almost 2 years ago

Problem/Motivation

Cloudflare today both support API tokens and the legacy API keys.

API keys are global, only one can be created per user and follow the users permissions. Meaning if Drupal is configured to use an API key from a Cloudflare user with administrator or super administrator permissions, will the API key could be misused to do harmful changes to all zones in the Cloudflare account - e.g. deleting all your Cloudflare zones!

On the other hand is the API tokens created for specific purposes / integrations and they can easily be restricted with permissions, IP restriction and even with a life time. API tokens are today the solution recommended by Cloudflare.

Read more about limitations in the legacy API keys.

Proposed resolution

  1. Create a new version of the PHP SDK that support both the existing legacy API keys and the new API tokens.
  2. Do one of the following three solutions (depending on the project roadmap)
    1. Minor version: Change the Cloudflare module to support both the legacy API keys and API tokens. Document why API tokens are recommended and how to create them in Cloudflare including the required permissions. This solution is for backwards compatibility and to avoid that all existing installations needs to change their module configuration at day 1 after upgrading.
    2. Major version: Change the Cloudflare module to support only new API tokens. Document why API tokens and how to create them in Cloudflare including the required permissions. This solution requires that existing installations should reconfigure the module after upgrading to the new major version.
    3. Go with solution 1 and mark the API key support as deprecated and that it will be removed in a future major version.
Feature request
Status

Closed: duplicate

Version

1.0

Component

Code

Created by

🇩🇰Denmark beltofte Copenhagen 🇩🇰

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇳🇿New Zealand RoSk0 Wellington

    Closing as token support was added in Proposal to switch Cloudflare library Fixed , and, if I'm reading merge request correctly, there is nothing additional in it.

    We could potentially use this issue to deprecate key support, but it's not deprecated by the CloudFlare at this stage, just strongly not recommended, so we can leave things where they are at the moment.

Production build 0.71.5 2024